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To the Mayor and the Council of the Government of the District of Columbia 
Inspector General of the Government of the District of Columbia 

We have audited the financial statements of the governmental activities, the business-type 
activities, the aggregate discretely presented component units, the budgetary comparison 
statement, each major fund, and the aggregate remaining fund information of the District of 
Columbia (the District) as of and for the year ended September 30, 2012, which collectively 
comprise the District's basic financial statements and have issued our report thereon dated 
January 28, 2013. We conducted our audit in accordance with auditing standards generally 
accepted in the United States of America and the standards applicable to financial audits 
contained in Government Auditing Standards, issued by the Comptroller General of the United 
States. The financial statements of the District of Columbia Water and Sewer Authority and 
District of Columbia Housing Financing Agency, discretely presented component units of the 
District, were not audited in accordance with Government Auditing Standards. 

Internal Control over Financial Reporting 

Management of the District is responsible for establishing and maintaining effective internal 
control over financial reporting. In planning and performing our audit, we considered the 
District's internal control over financial reporting as a basis for designing our auditing 
procedures for the purpose of expressing our opinions on the basic financial statements, but not 
for the purpose of expressing an opinion on the effectiveness of the District's internal control 
over financial reporting. Accordingly, we do not express an opinion on the effectiveness of the 
District's internal control over financial reporting. 

A deficiency in internal control over financial reporting exists when the design or operation of a 
control does not allow management or employees, in the normal course of performing their 
assigned functions, to prevent, or detect and correct misstatements on a timely basis. A material 
weakness is a deficiency, or combination of deficiencies, in internal control over financial 
reporting, such that there is a reasonable possibility that a material misstatement of the entity's 
financial statements will not be prevented, or detected and corrected on a timely basis. 




KPMG LLP is a Delaware limited liability partnership, 
the U.S. member firm of KPMG International Cooperative 
("KPMG International"), a Swiss entity. 



Our consideration of internal control over financial reporting was for the limited purpose 
described in the first paragraph of this section and was not designed to identify all deficiencies in 
internal control over financial reporting that might be deficiencies, significant deficiencies, or 
material weaknesses. We did not identify any deficiencies in internal control over financial 
reporting that we consider to be material weaknesses, as defined above. However, we identified 
certain deficiencies in internal control over financial reporting that we consider to be significant 
deficiencies and that are described in Appendix A to this report. A significant deficiency is a 
deficiency, or combination of deficiencies, in internal control over financial reporting that is less 
severe than a material weakness, yet important enough to merit attention by those charged with 
governance. 

Compliance and Other Matters 

As part of obtaining reasonable assurance about whether the District's basic financial statements 
are free of material misstatement, we performed tests of its compliance with certain provisions of 
laws, regulations, contracts, and grant agreements, noncompliance with which could have a 
direct and material effect on the determination of financial statement amounts. However, 
providing an opinion on compliance with those provisions was not an objective of our audit, and 
accordingly, we do not express such an opinion. The results of our tests disclosed instances of 
noncompliance or other matters that are required to be reported under Government Auditing 
Standards and which are described in finding 2012-02 in Appendix A to this report. 

We noted certain matters that will be reported to management of the District in a separate letter. 

The District's written responses to the significant deficiencies and instances of noncompliance 
identified in our audit are described in Appendix A. We did not audit the District's responses 
and, accordingly, we express no opinion on the responses. 

Appendix B presents the status of prior year significant deficiencies and instances of 
noncompliance. 

This report is intended solely for the information and use of the Mayor, the Council, the Office 
of the Inspector General, District management, the U.S. Government Accountability Office, the 
U.S. Congress, and federal awarding agencies and pass-through entities and is not intended to be 
and should not be used by anyone other than these specified parties. 

f-vP^G LCP 

January 28, 2013 



Appendix A - Significant Deficiencies in Internal Control Over Financial Reporting 

Finding 2012-01 - Weaknesses in the District's General Information Technology Controls 
Background: 

General Information Technology Controls (GITCs) provide the foundation for a well-controlled 
technology environment that supports the consistent processing and reporting of operational and 
financial data in accordance with management's directives. Our audit included an assessment of 
selected GITCs in four (4) key control areas: Access to Programs and Data, Program Changes, 
Program Development, and Computer Operations. During our assessment, we noted that, while 
the District made progress and remediated certain GITC findings identified during our prior year 
audit, pervasive GITC-related issues continue to exist. 

The GITC environment underwent significant transition during fiscal year 2012. The District is 
currently in the process of modernizing its District-wide System of Accounting and Reporting. 
As a result, certain deficiencies previously identified will continue to exist, as they will not be 
remediated until the new system is implemented. Additionally, the District has already 
remediated other GITC deficiencies during fiscal year 2012. However, as these remediation 
efforts did not take place until fiscal year 2012 was well under way, the conditions continued to 
exist during part of the fiscal year and thus are included in this year's report. 

Our fiscal year 2012 findings included the following: 

Access to Programs and Data 
Conditions: 

1. Failure to consistently restrict privileged and general user access to key financial 
applications in accordance with employee job responsibilities or segregation of duties 
considerations. 

2. Inconsistent performance and documentation of both physical and logical user access 
administration activities, including the approval of new user access and access changes, 
periodic review of user access rights, including whether user access is commensurate with 
job responsibilities, and timely removal of user access upon employee termination. 

3. Use of generic accounts to perform system administration or end user functions within 
key applications without adequate monitoring controls over such activities. 

4. Failure to update the policy that defines the minimum password configuration 
requirements for the District's Information Technology (IT) systems in approximately 
seven years. Further, inquiry and inspection procedures performed indicate that the policy 
was not effectively communicated to responsible personnel. Specifically, we determined: 

a. The Office of the Chief Technology Officer (OCTO) Password Management Policy, 
last revised in November 2004, does not require that systems be configured to 
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automatically lock out user accounts after a predefined number of invalid log-on 
attempts. 

b. There were various inconsistencies between the requirements outlined in the OCTO 
Password Management Policy and configurations set within certain applications and 
their supporting databases and operating systems. 

c. There is potentially confusing language around the scope of the policy, which 
indicates it is to include "all District Government agencies and all users of DC 
Government computing equipment" when, in fact, the Office of the Chief Financial 
Officer (OCFO) is not under the direction of this policy. 

As this was a finding in both FY2010 and FY2011, OCTO management implemented a 
revised Password Management Policy, effective August 31, 2012, which included a 
requirement for account lockout settings and clearly defines the scope of the policy in 
remediation of the issues noted above. However, a deficiency in the control environment 
existed for the period during the year under audit of October 1, 2011 through August 31, 
2012. 

Program Changes 
Conditions: 

1. Failure to institute well-designed program change policies that establish procedural and 
documentation requirements for authorizing, developing, testing, and approving changes 
to key financial applications and related infrastructure software 1 in the production 
environment. 

2. Inconsistent adherence to established program change management procedures, including 
instances in which changes made to the system were not approved, tested or documented 
appropriately per the established procedures. 

3. Failure to consistently restrict developer access to the production environments of key 
financial applications in accordance with segregation of duties considerations or, if not 
feasible, implement independent monitoring controls to help ensure changes applied to 
the production environment are authorized. 

Program Development 
Conditions 2 : 



1 Infrastructure changes refer to software changes and updates applied to underlying operating systems and 
databases supporting the key financial applications. 

2 Systems Development findings are specific to the Banner application at the University of the District of Columbia 
in FY 2012. 
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1. Failure to consistently follow and provide documentation for system development life 
cycle policies for authorizing, developing, testing, and approving system developments to 
key financial systems. KPMG noted that formal testing and approval documentation was 
maintained during FY2012 to support the testing and approval for production migration 
of program changes; however, the prior year finding (FY201 1) was determined to be only 
partially remediated because the following conditions still existed at the time of our audit: 

• Policies and procedures related to generic account management originally defined by 
management during FY2012 did not include requirements for logging and monitoring 
of actions taken under generic accounts. As a result, a series of generic accounts with 
the ability make changes, including 9 at the database layer, 19 at the operating system 
layer, and 33 at the application layer, held active access to the environment through 
FY2012. Of these accounts, a subset were tied to system processes and not 
procedurally logged into by end users while others were no longer necessary to exist 
within the environment. 

• While a complete list of patches applied to the application could be provided, changes 
impacting the functionality of the application made directly through the database 
during the period could not be produced in order to assess effectiveness of program 
change controls. 

2. Failure to consistently restrict developer access to the production environments of key 
financial applications in accordance with segregation of duties considerations or, if not 
feasible, implement independent monitoring controls to help ensure changes applied to 
the production environment are authorized. 

As part of our review in FY2012, Management implemented a policy requiring that the 
individual responsible for developing the change would not be the same individual 
responsible for migrating the change; however, the two developers with access to 
production remain able to circumvent this policy without detective controls to identify if 
such instances were to occur. 

3. Usage of generic accounts during the implementation to apply changes to the application, 
operating system, and underlying database with no evidence of monitoring of these 
generic accounts. 

As part of our assessment for FY2012, KPMG determined that new policies and 
procedures were implemented to: 

• Govern the use of generic accounts within the environment only when absolutely 
necessary to support a business or application function, and 

• Govern the change management process and the nature and extent of testing and 
approvals to be documented for program changes made to the application. 

Computer Operations 
Conditions: 

1. Failure to establish a monitoring process for identifying and addressing production job 
failures in several systems. 
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2. Failure to retain system-generated documentation from the scheduling and processing 
utility to evidence the completion status of system jobs scheduled through the 
applications' utilities. 



3. Failure to perform official testing to confirm that several system backup tapes can be 
successfully recovered and restored. 

The table below summarizes the key financial applications that were impacted by the findings 
noted above. 



Table 1: Summary of Applications Impacted by the Findings 
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Criteria: 



1. The Federal Information Security Management Act (FISMA), passed as part of the 
Electronic Government Act of 2002, mandates that Federal entities maintain IT security 
programs in accordance with National Institute of Standards and Technology (NIST). The 
following NIST criteria were considered: 

a. NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, 
October 1995; 

b. NIST SP 800-53, Revision 3, Recommended Security Controls for Federal 
Information Systems and Organizations, August 2009; 

c. NIST SP 800-64, Security Considerations in the System Development Life Cycle, 
October 2008; and 

d. NIST SP 800-14, Generally Accepted Principles and Practices for Securing 
Information Technology, September 1996. 

2. The Information Systems Audit Control Association (ISACA) Control Objectives for 
Information and related Technology (COBIT®) 4.1, 2007. 

Cause/Effect: 

The findings highlighted above include weaknesses in both the design and operating 
effectiveness of controls considered relevant to the access to programs and data, program 
changes, program development, and computer operations areas. Although management has made 
progress remediating previous findings, additional improvements in formalizing key GITC 
processes and creating an effective monitoring function are needed. The existence of these 
findings increases the risk that unauthorized changes applied to key financial applications and 
the data they process adversely affect application processing and data integrity and, as a result, 
may impact the financial statements. Additionally, the existence of these findings impacts the 
reliability of key application reports and the ability to rely upon automated, configurable controls 
embedded within key financial applications. 

Recommendations: 

We noted that management did remediate several control deficiencies from the prior year. There 
were 36 NFRs documented in FY201 1 . Of them: 

• 10 represented findings that had been remediated during FY2011 (as part of remediation 
efforts for FY2010 NFRs); 

• 8 were remediated during FY2012; and, 

• 9 were partially remediated during FY2012. 

We recommend that management continue to perform the remediated control activities put in 
place. Further, we recommend that management monitor the effectiveness of these controls on a 
regular and periodic basis going-forward. 
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To the extent the following findings are not remediated, we recommend the following: 

1. Related to Access to Programs and Data controls, we recommend that management: 

a. Assess and update or, as applicable, develop and document access management 
policies and procedures for production applications and underlying infrastructure 
systems. These policies and procedures should address requirements for clearly 
documenting user access requests and supervisory authorizations, periodic reviews of 
the appropriateness of user access by agency business management, timely 
communication of employee separations/transfers, and disablement/removal of the 
related user access. Management should formally communicate policies and 
procedures to control owners and performers. Further, management should institute a 
formalized process to monitor adherence to policies and procedures related to key 
controls and, as performance deviations are identified, follow up as appropriate. 

b. Develop and implement controls that establish organizational and logical segregation 
between program development roles, production administration roles, and business 
end user roles among different individuals or, independently performed monitoring of 
the activities of users provided with conflicting system access over the activities of the 
developers (and other individuals) with administrative access that require the 
documentation of monitoring activities as well as follow up on any suspicious 
behavior within the system. 

c. Restrict the use of generic IDs or, if such access is required, implement independent 
monitoring of the activities performed using generic IDs. 

d. Develop and formally document the physical access management policy and 
procedures for all server rooms. We recommend that these include, at a minimum, 
procedural and documentary requirements for: 

i. Requesting and approving physical access; 

ii. Timely disablement/removal of physical access rights during instances of 
employee separations; and 

iii. Performing periodic reviews of access in consideration of users' ongoing need 
to retain physical access, and the modification of any updates required as a 
result of inappropriate access identified during the review process. 

2. Related to Program Change controls, we recommend that management: 

a. Develop and implement change management processes and controls that establish one 
or more of the following: 

i. Organizational and logical segregation of program development roles from 
production system and database administration roles among different 
individuals; and 
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ii. Implementation of one or more independently operated monitoring controls 
over the activities of the developers (and other individuals) with 
administrative access that require the documentation of monitoring activities 
as well as follow up on any suspicious behavior within the system. 
Documentation of these monitoring controls should be maintained and include 
sign-off of the review as well as notations as to the appropriateness of the 
actions taken by the developers within the database. Further, any suspicious 
activity, such as modifications to functionality or data without corresponding 
change request approvals, should be followed-up upon, as necessary. 

iii. Additionally, management should continue to document the performance of 
User Acceptance Testing (UAT). 

b. Configure settings or implement monitoring tools to log changes made to application 
functionality, including all configuration changes. 

3. Related to Program Development Controls, we recommend that management: 

a. Develop and implement program development processes and controls that establish 
one or more of the following: 

i. An evaluation of the generic accounts that exist and documentation of the 
purpose of each generic account required to remain active, if any. 
Furthermore, for generic accounts that are required to remain active, we 
recommend management implement a formal process to approve and 
document each access request to generic accounts and perform a documented 
periodic review of generic account activity. 

ii. The implementation of procedural and documentary requirements for: 

• Recording the nature of each change being applied; 

• Evaluating the impact and risk of each change relative to objective rating 
criteria; 

• Approving (and documenting such approvals of) changes; and 

• Validating the functionality/system impact of each change via pre- 
production testing in a model environment. 

4. Related to Computer Operations controls, we recommend that management: 

a. Implement any required changes to support an extended retention of job processing 
logs in support of audit requirements. Additionally, we recommend that management 
continue to save daily Excel reports produced by systems to limit the impact of any 
future archival issues. 

b. Document the completion of the new process put in place to monitor open application 
incidents reported to the OCFO Help Desk that are forwarded to the TSG, and also to 
ensure that they are remediated within a defined time period that is acceptable to 
application owners. 

c. Implement policies and procedures to ensure that backup tapes are officially tested on 
a semi-annual basis to confirm successful recovery and restoration of data. 
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These procedures should be provided to and discussed with the personnel responsible for 
enforcing the control activity. Further, management should monitor the personnel responsible 
for enforcing the control activity periodically. 

Management Response: 

The District concurs with the auditor's findings and agrees that there are weaknesses in its 
general information technology controls. Over the last several years, the District has engaged in 
an extensive remediation process to address and resolve the reported findings and to strengthen 
internal controls related to information technology. While much improvement has been made as 
a result of that effort, we recognize that there are areas in which improvement is still needed. 
Therefore, the District will continue its remediation activities and will, as part of that process, 
incorporate the recommendations made by the auditor as we work to improve controls related to: 
Access to Programs and Data, Program Changes, Program Development, and Computer 
Operations. 

Finding 2012-02 - Weaknesses in the District's Procurement and Disbursement Controls and 
Non-compliance with Laws and Regulations 

Conditions: 

During our FY 2012 testwork, we noted that in order to be as efficient and effective as possible, 
the District has established District-wide policies and procedures to procure goods and services 
and to make payments for those goods and services at the Office of Contracts and Procurement 
(OCP), as well as at those agencies that have independent procurement authority. Further, these 
policies and procedures serve to ensure the District's compliance with various laws and 
regulations governing procurements and payments, such as the Procurement Practices Act and 
the Quick Payment Act. 

OCP has implemented a comprehensive, multi-year remediation plan to address previously 
identified deficiencies and has completed the steps scheduled for FY 2012. While these 
remediation efforts resulted in improvements within the Procurement process, we still noted 
deficiencies that continue to be repeated from previous years during FY 2012. Specifically, we 
noted the following: 

For our sample of sole-source procurements we noted: 

a. For 10 of 38 sole source procurements, we noted that there was not sufficient 
documentation to validate the sole source method was justified. 

b. For 1 of 38 sole source procurements tested, the Council approval was not available for 
review. 

c. For 1 of 38 sole source procurements, the Determination and Findings was not available 
for review. 
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d. For 1 of 38 sole source procurements, the purchase order amount is greater than the 
contract amount by $150,000. 



e. For 1 of 38 sole source procurements, the contract did not cover the period of the 
purchase order. 

Pursuant to Section 201 (b) of the PPRA, the Department of General Services (DGS) is an 
Independent Agency and is authorized to exercise procurement authority to carry out its 
procurement independent of the Office of Contracting and Procurement (OCP). However, these 
procurements are still classified under OCP in the general ledger and as such were included in 
our testing. Of the 38 sole-source procurements tested, 2 of them related to DGS. Of the 2 we 
noted the following: 

a. For 1 of 2 sole source procurements, the procurement file was not available for review. 

b. For 1 of 2 sole source procurements, the contractor's delegation of authority was not 
available for review. 

For our sample of emergency procurements tested, we noted: 

a. For 5 of 13 emergency procurements we noted that there was not sufficient 
documentation to validate the emergency procurement method was justified. 

b. For 1 of 13 emergency procurements, the determination and finding (D&F) was not made 
available for review. 

c. For 3 of 13 emergency procurements, the period of performance exceeded the 120 day 
maximum duration requirement for an emergency procurement. 

Pursuant to Section 201 (b) of the PPRA, the Department of General Services (DGS) is 
authorized to exercise procurement authority to carry out its procurement independent of OCP. 
However, these procurements are still classified under OCP in the general ledger and as such 
were included in our testing. Of the 13 procurements tested, we noted 1 of them related to DGS. 
Specifically, we noted: 

a. For the 1 DGS emergency procurement, the contracting officer's delegation of authority 
was not available for review. 

For our sample over competitive procurements executed during the year: 

a. For 30 of 131 competitive procurements, there was no evidence that the procurement 
went through the competitive process. 

b. For 2 of 131 competitive procurements, the Council approval was not available for 
review. 

c. For 15 of 131 competitive procurements, the evidence of the excluded party list was not 
available for review. 
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d. For 1 of 131 competitive procurements, evidence of the contractor compliance with the 
District tax code was not available for review. 

e. For 1 of 131 competitive procurements, there were insufficient quotes available for 
review for small purchases. 

f. For 1 of 131 competitive procurements, the contract was missing the authorizing 
signature. 

g. For 2 of 131 competitive procurements, the contract was not available for review. 

h. For 1 of 131 competitive procurements, the contract was not available for review. 

As noted in DC ST 7-3005.01, we noted that the Director of the Department of Health is 
authorized to exercise procurement authority to carry out its procurement independent of 
OCP. However, these procurements are still classified under OCP in the general ledger and 
as such were included in our testing. Of the 131 competitive procurements tested, we noted 9 
of them related to Human Care Contracts. Of these 9 we noted the following: 

a. For 7 of 9 agreements, the determination and finding was not available for review. 

b. For 3 of 9 agreements, the period of performance noted in the agreement did not 
cover the period being audited. 

c. For 1 of 9 agreements, the agreement was not available for review. 

d. For 1 of 9 agreements, the Attorney General legal review/approval was not available 
for review. 

e. For 2 of 9 agreements, evidence of the excluded party list was not available for 
review. 

f. For 4 of 9 agreements, evidence of the contractor compliance with the District tax 
code was not available for review. 

Pursuant to Section 201 (b) of the PPRA, the Department of General Services (DGS) is 
authorized to exercise procurement authority to carry out its procurement independent of OCP. 
However, these procurements are still classified under OCP in the general ledger and as such 
were included in our testing. Of the 131 competitive procurements tested, we noted 2 of them 
related to DGS. Specifically we noted: 

a. For 2 of 2 competitive procurements, there were insufficient quotes available for 
review for the small purchases. 
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During our testing over the District's three Independent Agency's procurement transactions, we 
tested over 100 procurements and noted exceptions related to the Department of General 
Services (DGS) and Office of the Chief Financial Officer. Specifically, we noted the following: 



For sole-source procurements, we noted that: 

a. For 6 of 25 sole source procurements, there was no delegation of authority available for 
review. All 6 exceptions related to the Department of General Services. 

b. For 2 of 25 sole source procurements, all relating to the Department of General Services, 
the contract was not available for review. 

c. For 2 of 25 sole source procurements, all relating to the Department of General Services, 
there was no evidence of compliance with the District's tax code. 

d. For 2 of 25 sole source procurements, the method for use of sole-source procurement was 
not justified. Both exceptions related to the Office of the Chief Financial Officer. 

For emergency procurements we noted that: 

a. For 16 of 16 DGS emergency procurements, the contracting officer's delegation authority 
was not available for review. 

b. For 6 of 16 DGS emergency procurements, the length of procurement is greater than 90 
days. 

c. For 3 of 16 DGS emergency procurements, there is no evidence as to whether the Agency 
verified whether or not the vendor was suspended or debarred. 

d. For 3 of 16 DGS emergency procurements, there is no evidence of compliance with the 
District's tax code. 

For competitive procurements we noted that: 

a. For 78 of 78 DGS competitive procurements, the contracting officer's delegation of 
authority was not available for review. 

b. For 2 of 78 DGS competitive procurements, the legal sufficiency reviews were not 
available for review. 

c. For 9 of 78 DGS competitive procurements, the evidence to support that the procurement 
went through a competitive process were not available for review. 

d. For 8 of 78 DGS competitive procurements, the number of quotes available for review 
was not sufficient per DGS policy. 
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e. For 4 of 78 DGS competitive procurements, the evidence supporting that the search for 
the excluded and debarred was performed was not available for review. 

f. For 8 of 78 DGS competitive procurements, the signed contract document was not 
available for review. 

g. For 4 of 78 DGS competitive procurements, the evidence supporting that the vendor was 
compliant with the District tax compliance was not available for review. 

During our testing over purchase card (P-card) transactions and monthly P-card statement 
reconciliations, we noted the following deficiencies: 

a. For 22 of the monthly reconciliations totaling $3,304,205 of the 36 monthly 
reconciliations tested totaling $4,349,614, we noted that the reconciliations were not 
reviewed and approved by the approving official in a timely manner in accordance with 
OCP Policy No. 2009-01. Of the 22 exceptions we noted the following Agencies did not 
comply with the policy: 

■ Fire and Emergency Medical Services (7) 

■ Metropolitan Police Department (3) 

■ Office of Tenant Advocate (3) 

■ Office of the Mayor (4) 

■ Office of the Secretary (1) 

■ DC Public Library 1) 

■ Office of Contracting & Procurement (3) 

b. For 5 individual transactions totaling $15,090 out of 40 transactions tested totaling 
$252,456, there was not sufficient documentation to support the purchase or validate that 
it was for an approved transaction. All 5 exceptions were from the Office of Tenant 
Advocate. 

c. For 2 individual transactions totaling $11,850 out of 40 transactions tested totaling 
$252,456, we noted that the authorizer approved purchases exceeding the $2,500 single 
and $10,000 cycle transaction limit, these exceptions related to the Office of the Mayor 
and the Metropolitan Police Department. 

d. For 3 monthly statements totaling $134,343 of 36 monthly statements totaling 
$4,349,614, we noted that 2 cardholders exceeded their approved cycle limit for the 
months reviewed. These exceptions related to Fire and Emergency Services and the 
Office of Tenant Advocate. 

e. For 1 transaction totaling $100,411 out of 40 transactions tested totaling $252,456, the 
cardholder exceeded the small purchase limit of $100,000 per PPRA Sec. 407 small 
purchase procurements. This exception related to the Office of Contracting and 
Procurement. 

In our testing of procurement and disbursement transactions at the District of Columbia Public 
Schools (DCPS), we noted the following: 
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a. For 3 of 180 purchase order files for payments totaling $13,673, the files did not 
originally include a search for federal debarment. DCPS subsequently provided a note 
stating that the system was down on that day, but since the document was not originally 
in the file, we cannot verify that a search was performed during the procurement process. 

b. For 1 of 64 contract files for a payment totaling $11,492, the file did not include the 
required Determination and Findings. 

c. For 1 purchase order and contract file for payment totaling $382, the purchase order file 
and contract file was not provided by DCPS. 

In our testing of compliance with the District of Columbia Quick Payment Act, we noted that: 

a. 1 of 67 District payments (i.e. non-DCPS) selected for testing were not paid timely in 
accordance with the Quick Payment Act. 

b. 100 of 426 DCPS payments selected for testing were not paid timely in accordance with 
the Quick Payment Act. 

Criteria: 

The Procurement Practices Act indicates the following: 

27 DCMR chapter 17, states that: "7n each instance where the sole source procurement 
procedures are used, the contracting officer shall prepare a written determination and findings 
("D&F") justifying the procurement which specifically demonstrates that procurement by 
competitive sealed bids or competitive sealed proposals is not required. " 

27 DCMR chapter 17, states that: "Each sole source D&F for a procurement in an amount 
greater than twenty -five thousand dollars ($25,000) shall be reviewed by the Director before 
solicitation and shall be approved by the Director before contract execution. " 

DC Code 1-204.51, states that: "prior to the award of a multiyear contract or a contract in 
excess of $1,000,000 during a 12-month period, the Mayor or executive independent agency or 
instrumentality shall submit the proposed contract to the Council for review and approval." 

DCMR chapter 17 states that "An "emergency condition" is a situation (such as a flood, 
epidemic, riot, equipment failure, or other reason set forth in a proclamation issued by the 
Mayor) which creates an immediate threat to the public health, welfare, or safety. The 
emergency procurement of services shall be limited to a period of not more than one hundred 
twenty (120) days. If a long-term requirement for the supplies, services, or construction is 
anticipated, the contracting officer shall initiate a separate non-emergency procurement action 
at the same time that the emergency procurement is made. The contracting officer shall attempt 
to solicit offers or proposals from as many potential contractors as possible under the emergency 
condition. An emergency procurement shall not be made on a sole source basis unless the 
emergency D&F includes justification for the sole source procurement. When an emergency 
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procurement is proposed, the contracting officer shall prepare a written determination and 
findings (D&F) that sets forth the justification for the emergency procurement. " 

Financial Management and Control Order 07-004A states that "Direct Voucher payment 
requests that are not explicitly identified in Financial Management and Control Order 07-004A, 
shall be submitted to the Deputy Chief Financial Officer for the Office of Financial Operations 
and Systems {OF OS) for consideration and approval in accordance with policy and procedures 
set forth for direct voucher payment review and consideration by OFOS. " 

According to the District Purchase Card program policies and procedures: 

• Purchase limit : An individual who is issued a P-Card under the DC Purchase Card Program 
shall use the purchase card to buy commercially available goods and services, for Official 
Government Business only, with a value that does not exceed $2,500 per single transaction 
and a total amount of $2,500 per card per day and $10,000 per card account per monthly 
cycle, unless otherwise specified by the Chief Procurement Officer in the delegation of 
contracting authority. 

• Reconciliation : Each approving official will have a queue of all P-card statements waiting 
for them in the PaymentNet system. By the 27 th of each month, the Approving Official 
should obtain original receipts from cardholders under their jurisdiction and ensures that the 
cardholders have reviewed all transactions in PaymentNet. The Approving Official should 
review each transaction to verify that the good or service were received, that the nature of the 
purchase was within programmatic guidelines, and that the receipts match the amount listed 
in PaymentNet. The Approving Official should mark each transaction as Approved in 
PaymentNet by the 3 rd day of the subsequent month. 

According to DC Code 1-204.51, "prior to the award of a multiyear contract or a contract in 
excess of $1,000,000 during a 12-month period, the Mayor or executive independent agency or 
instrumentality shall submit the proposed contract to the Council for review and approval" 

Also, DC Code 2-301.05(G) states that "All contracts over a million dollars must go to the 
Office of the Attorney General (0 AG) for a legal sufficiency review." 

27 DCMR chapter 15 

1511.3 Prospective bidders that have been debarred or suspended from District contracts or 
otherwise determined to be ineligible to receive awards shall be removed from solicitation 
mailing lists to the extent required by the debarment, suspension, or other determination of 
ineligibility 

The requirements for allowable costs/cost principles are contained in the A- 102 Common Rule 

(§ .22), OMB Circular A-110 (2 CFR section 215.27), OMB Circular A-87, "Cost Principles 

for State, Local, and Indian Tribal Governments" (2 CFR part 225), program legislation, Federal 
awarding agency regulations, and the terms and conditions of the grant award. Management is 
required to maintain adequate internal controls to prevent and detect instances of noncompliance. 
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The District's Quick Payment Act indicates the following: If a contract specifies the date on 
which payment is due, the required payment date is the date specified in the contract. If a 
contract does not specify a payment date, the required payment date will be one of the following: 

(a) Meat and meat food products - the seventh (7th) day after the date of delivery of the meat or 
meat product; 

(b) Perishable agricultural commodities - the tenth (10th) day after the date of delivery of the 
perishable agricultural commodity; or 

(c) All other goods and services - the thirtieth (30th) day after the receipt of a proper invoice by 
the designated payment officer. 

Cause/Effect: 

District agencies are not adhering to the established policies and procedures governing creation 
and maintenance of procurement documentation and the payment of vendor obligations, which 
may cause noncompliance with the Procurement Practices Act and the Quick Payment Act. 
Additionally, internal controls need to be improved to ensure compliance with all procurement 
laws and regulations. 

Recommendation: 

We recommend that the District continue to strengthen its internal controls over procurement 
through the implementation of its deficiency remediation plan. These implementation efforts 
should continue to be led by the OCP Procurement Integrity and Compliance Office (PICO), and 
sufficient resources should be provided to this office to ensure it can successfully implement the 
remediation plan. The performance measurement statistics monitored by PICO should be 
provided to both the Mayor and the Chief Financial Officer at least semi-annually so that senior 
District management is apprised of progress on the remediation plan. 

Management Response: 

Consistent with the Independent Auditor's view of measurable improvements in procurement 
practices at the Office of Contracting and Procurement (OCP), for the fifth consecutive year, 
OCP recorded a year-to-year decline (7%) in its total number of audit findings. While one audit 
finding is one too many, this administration is encouraged by data showing a sustained reduction 
in the prevalence and severity of noncompliance issues across the many thousands of 
requisitions processed yearly by OCP's procurement staff. 

As noted by the Independent Auditor, a considerable number of audit findings were from 
contracts awarded in prior years. In fact, a review of the audit sample shows that contracts 
awarded before calendar year (CY) 2011 (58 percent of deficient contracts) accounted for 70 
percent of OCP's FY 2012 audit findings. 

The Independent Auditor also cited several instances where Sole Source and Emergency 
Procurements were "not justified". While it might appear that OCP did not comply with 
established regulations, the root cause for selecting the sole source and emergency procurement 
methods was to avoid disruptions to critical government operations. The regulations allow for 



A-15 



this, and to the extent that this was a factor, it should be viewed that affected contracting officers 
were reasonably exercising their professional judgment. 

What is at issue here is when the emergency or sole source methods are repeatedly exercised, 
with the same vendor, over an extended period. This scenario is not unique to OCP and 
highlights the concern around the effectiveness of procurement planning in general, and how 
poor planning could hinder competitive practices, give the appearance of unfair advantages to 
select vendors, or result in missed opportunities to obtain the best value and price for services 
rendered beyond the final option year of a contract. 

The Independent Auditor noted the shared responsibility of acquisition planning efforts. The 
District agrees with this assessment and will take measures to foster collaboration between 
agencies and their respective contracting offices to improve the procurement process - with 
regards to forecasting and fulfilling needs - and to better mitigate associated risks. 

Finally, OCP has been responsive to the Independent Auditor's recommendation in the FY 2011 
Yellow Book Report to continue to implement, monitor, and report on the results of its 
deficiency remediation plan to both the Mayor and the Chief Financial Officer. In FY 2012, 
OCP's Office of Procurement Integrity and Compliance (OCP-OPIC) coordinated District-wide 
remediation activities, and performed limited testing of transactions at 8 independent agencies 
cited in the prior year report. 

As noted in last year's management response, although the percentage share of OCP's CAFR 
deficiencies was down (41% in FY11 as compared to 68% in FY10), District- wide totals were 
trending upwards, requiring cooperation between OCP and independent agencies. Consequently, 
the objectives of OCP-OPIC activities were to raise awareness, and provide those charged with 
governance the data needed to make operational adjustments as needed. 

This year's results are no different. OCP's share of District-wide deficiencies has fallen (29% in 
FY 2012 as compared to 41% in FY 201 1); while the total number of procurement audit findings 
for the District has risen. Coordination of remediation actions and the sharing of best practices 
must continue to improve results across the entire procurement continuum. 

Finding 2012-03- Weaknesses in the District's Internal Controls Surrounding Tax Revenue 
Accounting and Reporting 

Conditions: 

During our testing over the District's Tax Revenue, which is under the jurisdiction of the Office 
of Tax and Revenue (OTR), we noted the following: 

a. The Office of Financial Operations and Systems (OFOS) relies upon the District Office 
of the Attorney General (OAG) to provide estimates of the amounts to be considered for 
accrual related to all outstanding claims and judgments in the District's financial 
statements. This review historically only covers those claims and judgments in excess of 
$200,000. Individual settlements associated with Superior Court Appeals are usually less 
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than the $200,000 threshold used. As a result, most outstanding Superior Court Appeals 
related to property tax assessments are not being assessed for inclusion in the District's 
fiscal year end claims and judgment accrual. This resulted in an understatement of the 
accrual due to property tax assessments of approximately $58 million as of September 30, 
2012. District management subsequently recorded an adjustment to correct for this 
understatement in its 2012 government- wide financial statements. 

b. OTR records accounts receivables for Sales & Use and Personal Income taxes at the fully 
realizable amount instead of applying the one-year availability criteria to the balances. 
This resulted in an understatement of deferred revenue of approximately $5.5 million and 
$17.4 million for Sales & Use and Personal Income taxes, respectively. 

c. OTR's Real Property Tax Administration (RPTA) tracks information related to real 
property assessment appeals with the exception of those appeals that are remanded to 
District Superior Court in FoxPro system. RPTA loads FoxPro information into the 
Integrated Tax System (ITS) through a process whereby RPTA personnel export a 
database file from FoxPro and upload the file. ITS is programmed to automatically 
transfer the FoxPro database file from the network folder to ITS. We noted that there is 
no formal review process in place to check the completeness and accuracy of the 
information uploaded into ITS from FoxPro. 

d. During our internal control testwork over real property assessment appeals, 2 adjustments 
out of 40 adjustments tested were not approved by the Chief Assessor as required by the 
Appeals Divisions policies and procedures. 

e. Monthly reconciliations between certain tax revenue subsidiary records and the general 
ledger contained un-reconciled differences that were not identified during the supervisory 
review of the reconciliation. Of 15 reconciliations tested, we noted 2 reconciliations with 
combined unreconciled differences of $10,865. In addition, we noted that for 1 of the 
reconciliations, the supervisory review was not performed timely. 

Criteria: 

Yellow Book, Appendix I, section A1.08 d., states that management at a State and Local 
government entity is responsible for "establishing and maintaining effective internal control to 
help ensure that appropriate goals and objectives are met; following laws and regulations; and 
ensuring that management and financial information is reliable and properly reported; " 

District of Columbia- Office of the CFO, Policies and Procedures, Section 35303003.40 states 
that the Refund Control Unit (RCU) of RAA is responsible for "tracking, reviewing, qualifying, 
approving, and recording refund disbursement requests. The RCU manager has the overall 
responsibility for managing the staff and the process related to refund disbursements. The Office 
of Finance and Treasury (OFT) produces and disburses check and/or direct deposits in response 
to RAA/RCU requests. 
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District of Columbia- Office of the CFO, Policies and Procedures, Section 35301009.40 states 
that RAA is responsible for "having the refund reconciliation completed and for journaling all 
outstanding items that are on the final reconciliation of the quarter. " 

The Assessment Division within the Real Property Tax Administration has established 
requirements as follows: 

• For all changes from the current to proposed (new) Estimated Market Values (EMV) on 
property between 10% and 39% or between $1 million and $4 million, manual approval 
of the Hearing Officer is required in addition to approval by the Appraiser and Unit 
Supervisor. 

• For changes from the current to proposed (new) EMV on property for amounts that 
exceed 

40% and $4 million, manual approval of the Chief Assessor is required in addition to 
approval by the Appraiser, Unit Supervisor, and Hearing Officer. 

GASB Statement No. 33 Accounting and Financial Reporting for Nonexchange Transactions 
states that 

"When the modified accrual basis of accounting is used, revenues resulting from nonexchange 
transactions should be recognized as follows:Den'veJ tax revenues. Recipients should recognize 

revenues in the period when the underlying exchange transaction has occurred and 

the resources are available." 

The Committee of Sponsoring Organizations of the Treadway Commission- Internal Control 
Integrated Framework states that, "The Internal control systems need to be monitored— a process 
that assesses the quality of the system 's performance over time. This is accomplished through 
ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing 
monitoring occurs in the course of operations. It includes regular management and supervisory 
activities, and other actions personnel take in performing their duties. The scope and frequency 
of separate evaluations will depend primarily on an assessment of risks and the effectiveness of 
ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with 
serious matters reported to top management and the board. " 

Cause/Effect: 

Policies, procedures and controls need to be improved to address the noted deficiencies. Failure 
to address these noted deficiencies could result in misstatements in the fund and government- 
wide financial statements. 

Recommendations: 

We recommend that OTR strengthen its policies, procedures and controls to ensure that the 
above noted deficiencies are addressed. 
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Management Response: 

The Office of Tax and Revenue (OTR) continues to build an internal control program that is 
based on risk identification and self-assessment, with an awareness of the value of implementing 
certain controls while delaying the implementation of others. 

Management concurs with the reported findings, and will revise procedures and reinforce them 
with staff as appropriate. For those findings that relate directly to the District's annual financial 
statements, OTR will make the recommended changes to the accounting treatment to be applied. 
OTR has already begun to improve the methodology and data used to estimate the government- 
wide financial statement liability, even though relatively few Superior Court real property tax 
appeal cases are decided each year outside of those for which the District participates in a 
settlement agreement. With regard to the treatment of accounts receivable, although OTR has 
consistently applied the same methodology from year-to-year, it has developed a procedure for 
determining Sales & Use and Personal Income tax receivables expected to be recognized as 
deferred revenue. 

In October 2012, OTR implemented new processes and controls surrounding the upload of data 
from FoxPro into the Integrated Tax System and automation to enforce tiered approvals for 
assessment changes resulting from first level appeals. OTR also implemented an automated 
tiered approval process within the First Level Appeals Tracking Systems, which significantly 
reduces the risk that a valuation change could be made without proper authorization. 

OTR will reinforce requirements for supervisory review and periodic reconciliation of subsidiary 
ledgers and tracking systems to SOAR entries to prevent and detect data entry errors. 

Finding 2012-04- Weaknesses in the District's Financial Reporting for Capital Assets 
Conditions: 

During our FY 2012 testwork, we noted that the District does not have uniform, District- wide 
policies and procedures for the identification of completed capital projects to ensure that projects 
are transferred from Construction-in-Progress (CIP) to capital assets in service in the period in 
which the assets are placed in operation consistently across District agencies. We noted that the 
methods currently used by agencies to account for CIP varies widely throughout the District, 
which results in a highly decentralized and inconsistently applied capital assets financial 
reporting process. We also noted that the District does not have a formal procedure in place to 
monitor CIP balances to ensure timely transfer of costs to capital assets upon project completion. 
Additionally, a detail of current capital expenditures and costs associated with completed 
projects transferred to capital assets by project is not available at the Office of Financial 
Operations and Systems (OFOS), although District agencies transfer CIP based on the 
completion of a project. 

As a result of these deficiencies, during our testwork over a sample of 25 projects totaling 
approximately $966 million transferred to CIP during FY 2012, and a sample of 25 projects 
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totaling approximately $729 million remaining in CIP at September 30, 2012, we identified the 
following errors in capital assets and CIP balances: 

a. $365.4 million reported in CIP as of September 30, 2012 related to projects that were 
completed in prior fiscal years and should have been transferred to capital assets prior to 
FY 2012. We also noted that accumulated depreciation for these assets was understated 
by approximately $17.8 million, as depreciation should have started accruing in prior 
years when the related assets were placed in operation. We proposed an audit adjustment 
to management, who corrected the error in the 2012 governmental activities financial 
statements. 

b. $311 million transferred to capital assets in the current year that related to projects 
completed in prior fiscal years. We noted that accumulated depreciation for these capital 
assets was understated by approximately $12.9 million, as depreciation should have 
started accruing in prior years when the related assets were placed in operation. We 
proposed an audit adjustment to management, who corrected the error in the 2012 
government wide financial statements. 

c. Additionally, we noted that the internal controls in place over the review of Agency 
submitted Closing Packages, performed by OFOS, are not operating effectively to ensure 
timely and accurate reporting of District capital asset additions for financial reporting. 
Specifically, we noted: 

• For 4 of 8 agency Closing Packages, the Closing Package review checklist was 
signed by the OFOS reviewer prior to the review being completed, 

• For 2 of 7 Agency Closing Packages, Closing Package was prepared and 
reviewed by the same individual in OFOS, 

d. Of a sample of 42 capital expenditures totaling $103.8 million, we noted for 2 sample 
items tested totaling $7.5 million, supporting documentation for the expenditure was not 
provided for $2,322 of the sampled amount. 

Criteria: 

GASB Statement No. 34 - Basic Financial Statements-and Management's Discussion and 
Analysis-for State and Local Governments: According to Governmental Accounting Standards 
Board (GASB) Statement No. 34, paragraph 19, capital assets include land, improvements to 
land, easements, buildings, building improvements, vehicles, machinery, equipment, works of art 
and historical treasures, infrastructure, and all other tangible or intangible assets that are used in 
operations and that have initial useful lives extending beyond a single reporting period. In 
compliance with GASB No. 34, Governments should report all capital assets, including 
infrastructure assets, in the government- wide statement of net assets and generally should report 
depreciation expense in the statement of activities. 
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Cause/Effect: 

The District has not developed sufficient policies and procedures to ensure costs transferred from 
CIP are tracked on a project level and that the amounts transferred are properly supported. 
Furthermore, the District lacks a complete and formalized capital asset financial reporting policy 
that includes requirements for proper identification, tracking and recording of capital 
expenditures and capital asset additions and disposals, including transfers from CIP to fixed 
assets, to ensure complete and accurate recording of capital assets in the government-wide 
financial statements. 

Without effectively designed and implemented internal controls over the financial reporting 
process for capital assets, misstatements in capital asset balances may not be prevented or 
detected in a timely manner. 

Recommendations: 

We recommend that the District strengthen their internal controls over the financial reporting 
process for capital assets to ensure that capital asset balances are complete and accurate as of the 
fiscal year end. This should include the following: 

• Implementing a centralized project accounting system that is fully integrated with the general 
ledger that allows capital asset transactions to be tracked at an invoice and project level. 

• Developing District-wide policies and procedures for identifying completed capital projects 
to ensure that projects are transferred from CIP to capital assets in the period in which the 
assets are placed in operation. 

• Developing District-wide policies and procedures for identifying capital project expenditures 
that are non-capital in nature and ensuring such expenditures are expensed in the period 
incurred. 

• Providing training to District agencies regarding policies and procedures for determining 
proper classification of capital expenditures and timely transfer of completed projects to fixed 
assets to reinforce that such procedures are uniformly applied across the District. 

• Reconciliation of agency fixed asset activity to the general ledger on a periodic basis, rather 
than only at year-end. 

• Adherence to existing internal control procedures for the review and approval of agency- 
reported closing package information to ensure that the closing packages are submitted 
timely and that the reported capital asset data is complete and accurate. 
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Management Response: 

The District concurs with the findings as noted and will implement measures to mitigate the 
reported deficiencies. The OCFO's Office of Financial Operations and Systems is in the process 
of developing policies and procedures for closing out capital projects. It is anticipated that such 
policies and procedures will be finalized and implemented during fiscal year 2013. To the extent 
deemed to be necessary, training will also be held to ensure that responsible parties are 
knowledgeable of the required procedures. Implementation of the procedures for capital projects 
along with training should result in improved standardization of practices among District 
agencies. Other measures will be implemented as needed to improve the District's processes for: 
reconciling agency capital asset activity to the general ledger; and reviewing and approving 
agencies' capital assets closing packages. 
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Appendix B - Status of Prior Year Significant Deficiencies in Internal Control Over 



Financial Reporting 



Prior Year 
Finding # 


Prior Year Finding Title 


Prior Year Finding 
Classification 


Current Status 


2011-01 


Weaknesses in the District's 
General Information Technology 
Controls related to: 

-Access to Programs and Data 
-Program Changes 
-Program Development 
-Computer Operations 


Significant 
Deficiency 


Repeated as a 
significant deficiency 
in fiscal year 2012 


2011-02 


Weaknesses in the District's 
Procurement and Disbursement 
Controls related to: 
-Lack of supporting 
Documentation 
-Inadequate approvals 
-Non-compliance with 

emergency criteria 
-Pcard reconciliations 
-Quick Payment Act 


Significant 
Deficiency 


Repeated as a 
significant deficiency 
in fiscal year 2012 
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